New PINs and On-Demand Tokencodes for Authentication Agents and RADIUS Clients

On-demand tokencodes always require a PIN. As a result, an administrator cannot clear the PIN of a user with an on-demand tokencode without assigning a temporary PIN. The user experience of changing the PIN of an on-demand tokencode depends on the method used to request the tokencode.

For a tokencode requested through an authentication agent or RADIUS client:

1. The user attempts to access a protected resource, and the agent prompts the user to enter a User ID and passcode.

2. When prompted for the passcode, the user enters the current PIN, which could be an expiring PIN or a temporary PIN assigned by the administrator.

3. The agent prompts the user to enter a new PIN and to confirm the new PIN.

4. The user enters a new PIN and confirms the new PIN.

5. The agent prompts the user to enter a passcode.

6. The user enters the new PIN.

7. AM sends the on-demand tokencode to the user.

8. When the agent prompts the user for next tokencode, the user enters the received on-demand tokencode.